Access tokens are objects that describe a process’s security context (identity and privileges of the user account associated with that process) in a sandbox. Adobe Reader uses restricted user access tokens to restrict the read, write and execute capability of processes. A restricted access token is a modified token (using the CreateRestrictedToken function), which is effective in limiting access to any objects protected by a discretionary access control list (DACL).

Restricted tokens in Reader’s sandbox are created by modifying the two token components — denying/restricting the Secure Identifiers (SID) and dropping off privileges. The resulting token effectively allows writing to only those locations (in file system or registry) that USERS or EVERYONE has access to – effectively ruling out the entire user profile directory (My Documents, Startup, Temp, etc) and the system directory (C:\Windows*).

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.